CVE-2022-50736

Correctly set send queue element opcode during immediate work request flushing in post sendqueue operation, if the QP is in ERROR state. An undefined ocode value results in out-of-bounds access to an array for mapping the opcode between siw internal and RDMA core representation in work completion generation. It resulted in a KASAN BUG report of type 'global-out-of-bounds' during NFSoRDMA testing.

This patch further fixes a potential case of a malicious user which may write undefined values for completion queue elements status or opcode, if the CQ is memory mapped to user land. It avoids the same out-of-bounds access to arrays for status and opcode mapping as described above.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50736.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b

Fixed

6af043089d3f1210776d19b6fdabea610d4c7699

Fixed

75af03fdf35acf15a3977f7115f6b8d10dff4bc7

Fixed

f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6

Fixed

355d2eca68c10d713a42f68e62044b3d1c300471

Fixed

f3d26a8589dfdeff328779b511f71fb90b10005e

Fixed

bdf1da5df9da680589a7f74448dd0a94dd3e1446

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50736.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.4.229

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.163

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.86

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.0.16

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50736.json"